Account Management 3.0
 
Troubleshooting Secret Store (3.03) for Account Management
    Troubleshooting Secret Store Notes
  1. Upgrade NICI, NICI should be upgraded to the latest available version: currently 2.4.0 SP 1 (for NetWare) 2.4.0 for other platforms.. For best results, do the NICI upgrade on all eDir servers, but at a minimum do the upgrade on all SecretStore servers and your tree key server. An out-of-date NICI will potentially cause SecretStore errors -801 and -825.
    Note that installing SP 2 for NetWare 6 apparently downgrades NICI to 2.0.1.
  2. If the Agent can't locate an SS server (error code -1), it may be because LDAP on the server can't resolve its hostname. Add a DNS entry for the server, or add an entry in the server's HOSTS file (see your OS TCP/IP documentation).
  3. Where to run SecretStore A SecretStore server must have replicas for users whose secrets it is going to modify. It must also have a replica containing the configured ASAMUSER, which is ASAMMaster by default. So identify all users whose passwords need to be replicated, and make sure Secret Store is installed on at least one server that contains a replica for those users. Then verify that all SS servers contain a replica for the configured ASAMUSER. If a server isn't available for a user's partition, the Agent will likely report error -1. If the ASAMUSER's replica isn't on the SS server, you will get error -805.
    4.
  4. If your top-level Organization object in eDir has the same name as your tree, you will likely receive -805 errors on SecretStore operations. This is due to a known DS issue. The solution is to create a new top-level Organization. In this Org., create a new user and make it equivalent to admin. Now change all ASAMCORE.CONF files (for Manager and Agents) to use this ASAMUSER and its ASAMPASSWORD. Replicas containing the new ASAMUSER must exist on all SS servers.
  5. Make sure the STORAGEKEY statement is present and identical in all ASAMCORE.CONF files (for Manager and Agents).

    Troubleshooting Account Management Specific Secret Store Errors (found in the Manager and Agent operational log)
  6. Error code 0: The reporting of this error code is in fact a known bug that will be fixed in a Support Pack. Look in the log file for other SS errors and refer to the help for those errors. If there are no other SS errors, refer to the help for -1.
    Error code -1: This is not an SS error code, but it indicates that the ASAM component could not locate an SS server for the specified user.
    Follow these steps:
  7. Verify that SS and LDAP is loaded on an eDirectory server in the tree. Windows: SSS.DLM and SSLDP.DLM must be started. NetWare: SSS.NLM and SSLDP.NLM must be loaded. UNIX: Process /sbin/nss should be running.
  8. Verify that the server has a replica of the specified user (see "Where to run SecretStore" above).
  9. See the "Verify LDAP host names" issue above.
  10. If an SS server has been recently booted, it takes it 30 minutes to update its "advertisement." On Windows and UNIX, restart the SS modules to force an update. There is no current workaround for NetWare. Retry the operation after 30 minutes or restart the secret store modules on that server to jump start it.

    Other Errors
    11. (found in the Manager and Agent operational log)
  11. Error code -801: NICI not found. See the "Upgrading NICI" text above, and refer to NICI documentation for more info.
  12. Error code -804: Access denied. The current ASAMUSER (usually ASAMMaster) has insufficient rights to access the user's SecretStore. Giving the ASAMUSER supervisor rights to the tree fixes this problem.
  13. Error code -805: NDS Error. The server has no replica for the ASAMUSER. Or the ASAMUSER is under an Organization with the same name as the tree. See "Where to run SecretStore" above.
  14. Error code -813: This is usually seen in the Manager logs. It merely means that the user has no SecretStore. The password must be "pushed" into SecretStore by an Intercept first, or by doing a check with the AS client. Refer to Agent logs to determine why the password wasn't stored.
  15. Error code -825: NICI operation failed. See "Upgrading NICI" text above.
  16. Error code -826: SecretStore not available. Verify that SS is running on a server. Restarting a server may fix this.
  17. If you don't get an error in the range of -32 to -100. This is due to a known bug--to determine the real SS error, subtract 768 to determine the real error code.